Security Pros Must Protect & Advance the Business
The never-ending threats and vulnerabilities that IT professionals are combating on a daily basis have reached epidemic proportions. At the same time, these security folks are also being asked to evolve into enablers of the business.
In other words, the business needs security teams to keep saying "no" to risky behaviors, but it also wants them to start saying "yes" to technologies that can drive business opportunities. This was one of the persistent themes of last week's RSA Security Conference in San Francisco.
This push-and-pull was perfectly summed up by Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security. Spafford, who's known in security circles as "Spaf," was one of the panelists during a session pitting security principles against the realities of security corporate computing environments, and he made it clear that security pros are in the midst of an identity crisis.
"The goal should be to allow people to do their jobs without getting in their way," said Spafford. "That's the big problem with security in general. We get in the way."
Some companies are finding opportunities to get security "out of the way." For instance, Jim Routh, chief information security officer for insurance provider Aetna, and one of Spafford's co-panelists, was motivated by research indicating that 70 percent of the business processes that rely on Social Security numbers have no real need for that data. As a result, he's out to eliminate SS numbers in as many of those processes as he can.
"This principle tries to eliminate the risk by eliminating the need to touch that information," Routh explained.
From a bigger-picture perspective, Routh has enlarged the description of his job duties from overseeing security to overseeing quality. "Security's just an element of quality," he said.
Michael Hammer, who manages Web operations security for American Greetings' online unit, said he'd love to be a bigger part of quality—if more business managers would let him. "We want to drive the business and help them do the business-y things they want to do," Hammer said during a panel discussion on cloud security.
Unfortunately, though some American Greetings' managers engage the security team early in technology initiatives, others keep security view security as an obstacle and keep it at arm's length until later in the process. "If they had engaged in the process, we'd have found ways to help them do what they wanted to do," said Hammer.
Fellow panelist Bill Burns, former InfoSec director at Netflix, added that security teams too often are looped in after decisions are made to sign up for cloud-based services. For example, whenever a business unit finally got around to informing Burns about a new service they'd signed up for, his response was typically, "Let me tell you about the security risks you just introduced."
Involving security earlier in the process is especially critical to extract the full value of cloud services, which Burns said require "a certain amount of bring-your-own-security."
A big part of the struggle to change the way security is viewed—by both the IT staff and the business—involves the changing way in which security success is measured.
According to Greg Schaffer, a former security executive at Fidelity National Information Services who is now CEO of security startup First72 Cyber, security success can no longer be determined by simple incident counts. Instead, it should be measured incrementally over time.
"The fact that you haven't had an incident is not an indication that you're more secure," Schaffer said during a panel on aligning security resources, "and the fact that you had an incident is not an indication that you're less secure."